 Oh, you guys can't see it now. How have you been? You had a midterm and a CTS in the same week. It's going to be super fun. You've got them over in the same week. That's a little bit of a fun part about this, right? Okay, so since there's a lot of questions over the last however amount of days, if we go through, like, together how to patch one of the services in the PCTL, would be helpful? Okay, so why don't we do that together as a group? Okay, so I'm everyone able, I assume everyone on every team can SSH into their team? Okay, that's step one. Okay, so I'm now the sheep user. I'm on the sheep user team. So, how is it set up? Somebody explain it to me. Pretend I'm a noob who has no idea about what's going on. How do I interact with this thing? Nobody knows. It's like one of these things you just randomly put holes down. It seems like there's a bunch of, I mean I definitely know that Say What is serving APHB content on Apache Web Server. It seems like there's other instances of Apache Web Servers that are handling the HTTP requests for all the services on 20,000 and one to 20,000 and four. Alright, let's go visit this beautiful scoreboard. Okay, so how does this game work? So if you were trying to explain to somebody how this game worked, what would you say? There are some services in this game that have four services on their entry point, three services, actually three real services. And so at each team, which is about three minutes, the game master, which is the boss, that actually checks for some stuff like the integrity of the service which performs all sorts of integrity checks on the pattern that the pattern matching and the service works correctly before the death system goes on. And also it checks also if there's some flag in that slot. So basically the attackers need to get access to the access to the file or the memory or any Azure memory to get access to the database. So basically you need to get access to the file and stack the stuff on the server on there, on the tools, on the teams. And grab that flag and get access to the system and so I think we can get something. Okay, so what is it different from the Gemini style CTF that we did before? There's a defense strategy to... Defense? Why are you going to defend it? I mean to prevent other people from getting points off of you. Yeah, so now if you think about the Jeffrey style CTF we've done in the past, all of you had one target. You could think of you were attacking just one target. Now this is an attack defense CTF so you all have your own individual servers that are each running identical copies at least at the start of some custom software. So an important thing about this type of CTF and attack defense is not something that we just put a vulnerable version of Apache and you just have to run the exploit against it to exploit some known CDE because that's not very interesting. The interesting part is that these are custom services just like you saw in Homer 3. They were custom binary programs that you have to analyze and find the vulnerability in. And then when you do that, you have to develop an exploit to launch it against all the other teams while patching your own. But when it comes to patching, most of the easiest way to patch something to make sure it's not vulnerable. Take it down. Yeah, we talked about that at the beginning, right? The most secure system is one that's unplugged and from the internet and from power and it's powered off and armored by guards in a room full of concrete. It's a pretty secure system but it's not very usable. So that's why, so here we have four services here. Did I write this? Oh, yeah, I guess I did. Okay, that's fine. So we have our four services. So there's, what is it? 15? No, 21 teams. Okay, so we have 21 teams with a bunch of sheep. Ooh, good. I don't know about the sheep, but that's a good sign. So the sheep, so we have 21 teams. So there's four copies, exact copies of this on everybody's machine. And so now, because the super lame thing to do is to just take down your service, right? Because I don't know if you can access it. Yeah. But that's not fun because then nobody can exploit it. Right? And so this is why on the scoreboard we have, if you look at the service status, we can see there's service checks. Right? So, exactly what was posted earlier, whatever you say. There's a, and our system is called a script bot that tests all of the, every single component on everyone's system. It runs multiple tests against it to see whether it's still functional. Right? So, any other questions at a high level of kind of how the game works? And does everybody understand the flag, flag ID concept? Does anybody want more clarification on that? Yes, also yes. All right. You understand it fully and you'd like some more information, right? So this is actually kind of a crazy concept. It's not a standard thing. The standard thing in an attack defense cap to the flag is there is a flag, one flag in every service. It's every tick, it's different per service, right? So, that way the scoring system can know exactly which team, which team's flag you stole just from that flag. Right? So, you can think of every tick, some random string that's generated. It's sort of the database that's put on everybody's system in this one flag location. What this means though is that flags are now not part of the system. Right? So, if you play in even Japanese style CTS, right, like we did, there would be a flag file that you would have to break into the system, read out that flag to get the flag. Right? But that's not very real. All that proves is that you can break some software on the system. So, what people did is, and as you know, flags have a certain format. So, in this game they started with, is it FLG? Yes. Or is it FLG or just FLG? Just FLG. Just FLG and then alphanumeric characters to a certain length. I can't remember what it is. 13 plus. Was it? 13 plus. 13? Okay. So, that's, so, now if you were writing a defensive system, of course what you could do is just look at outgoing traffic and say, if you see anything that matches this exact format, FLG, hexadecimal, 13 characters, change it or adapt it, or actually one year at DEF CON CTF, we had a system that was doing this that would be replacing the flags with like, backtake, rm-rf, backtake, and allegedly somebody was processing it with some tools on their laptop on another team and it wiped their device. It was kind of terrible, but you haven't been careful of anything yet. Which was, yeah. Anyways, so, because the flag is not a part of the system, right? The flag is some other thing that exists outside the service proper. So, this was an idea we came up with. Oh god, it's probably 2011, 2012 for the ICTF. Where the idea is what if we make the flag so part of the game, right? So, rather than just having a flag, right, you can actually have multiple flags. You can have flags in different positions. So, if you think about, the way I always think about it is on like a social networking site. So, let's say the flag is your status on that social networking site. Or some private message, let's say that's probably a better example. A private message that only you can view the person whose account it is, right? So, when the testing system goes to it, it can easily create a new flag. Because all it has to do is create a new account with the username and password. And then set the status to be equal to the flag, right? And then later it can check to make sure that the flag is still there. Because if you didn't break the service, because it can log in with the username and password. Now, other teams, should they be able to log in with to that user's account? No, because they don't have the right username and password, right? So, by saying that you can successfully break into anybody's account and read their private messages, that's a pretty good security exploit, right? So, if you can do that, but the question is which flag do you target? Because there's likely thousands as the game progresses, like this was running for a while, I don't even know how many flags there are here, right? Tons of flags everywhere. The question is, how do you know which flag to target? And that's when the flag ID comes in. So, for each service is different. So, for instance, I should say here, except for this to do. Oh, maybe these don't, do these not have? I don't know. So, this would be the name of the uploaded image, or in the case of the social networking, it would be the profile name of the user. So, the flag ID is server-specific and tells you exactly which flag to steal. The cool thing is, and why this is important, is this means flags can now be part of the service, where the scoring system will actually, when it's putting flags into your thing, will create a name of somebody as a flag, or it will post as a comment on somebody's wall with a flag. So, you have flags that are part of benign traffic, and you really can't tell which ones are of the benign traffic, and which one is the malicious exploit, just simply by looking for the flag, you need to actually fix and patch the exploit. This makes sense. Could you say that again? Why are there benign and malicious flags mixed? Right. So, the idea is, you as an attacker, every tick for every team, you're giving a specific flag ID, actually every tick team service, right? Per team, per service, per tick, you're giving a specific flag ID where the scoring system is saying, find me this flag that's associated with this flag ID. So, this profile. So, it'll be, here's profile, seal bop's private message. And so, if you write an exploit that is talking to the team interface, getting this list of targets, and then you write your exploit such that it takes in the IP, the port, and the flag ID, generates that exploit, does whatever bypass SQL injection, whatever you need to get that flag, gets it, and then submits it. Right? So, that's that way. But now, the benign, the scoring system knows this, so oftentimes the scoring system will use flags, and you can do this when you interact with things. You can put flags like, you know, FLG, random gibberish, because that's just data. So, you can, they will post that on a comment, you'll see flags sometimes in there that aren't the actual flags. Because it doesn't matter, it's part of data, but you know for every service exactly which flag is the same. Questions? Flag ID, flags? Yes? So, the bottom line is there are actually exploits in this service? No. If we've exploited each service and each tick, what would that give to all the teams? Exploits. Yeah, it would be leaking out exploits to every team. Right? We actually do. Every service has a working exploit that has been tested against it, and it's repeatable, but we don't run those during the game because that would be super, like, that would be us leaking information, right? So, but the script bot can still check that the flags are still there, because for instance, one thing you could do is let's say the flags are stored in some file, you can just write a script and it just deletes it every five seconds. Right? And if you did that, nobody can steal your flags, but now your service is not working as it should, so the script bot every once in a while will check and will use, because it has a flag ID and it's what we call a token internally, so it has some password and some way to access the flag through the normal authentication mechanisms of the system. So, for instance, in my social network example, the flag ID would be the user, the token would be the password, and with that, they can log in, check if the flag is there, and see that it's working. And the other important thing is, if you're all attacking each other from your own IP addresses, if you all have a certain IP address, right, you would be able to trivially tell who's who just by looking at the IP address and the connection, right? So that's why we have a router that's masquerading all the traffic, so it looks like it's coming from one IP address, because otherwise, if you can tell, ah, this is the script bot that's testing me, allow, deny to everyone else, then you have a perfect security without actually doing any cool security ones. You thought of everything? I mean, I'm sure not, but this has been honed over many, many years, so we try. Any other questions? Yes? Is this a standard, is there going to be a policy here? For all of our token board? Ah, yes and no. So this is a standard set, this is the high level attack offense, is yes, this is exactly what it is. Every team has a machine, every, everybody's running identical copies of the services, and you can fire exploits at the other teams. They vary a lot depending on scoring mechanisms, depending on what you can do. I was playing this easy enough. A new trend now is when you patch a service, the patches that you make are then available to all the teams in the game. So you could actually steal somebody's patch binary and deploy it on your own system. So people start putting backdoors in there so that they can access the flag when other people came. Or, and then people, of course, find ways around those backdoors and use the backdoors that the original people are using to get that crazy. There's all kinds of different scoring mechanisms, so every game is different, but the central idea of attack defense is yes, you have a machine and you have to protect it while attacking everyone else. Anything else? All right, so let's... Okay, so now I'm on my machine, right? I'm playing. This is awesome, although apparently I'm in last place. That's not so awesome. Sheep one, I'm in very last place. Okay, great. Oh, that's funny. Shouldn't these be exactly the same? Yeah, you know, so stuff happens. Systems are complicated. So how can I find out what's running on this system? How can I find out what ports are open on this system? What is it? Run API.py? How do I do it with... Oh, sorry. How do I do it with Linux commands? That's that. Let's see. N, L, listening, T, TCP. So if I run this, it'll tell me that port 22, which makes sense because I SSH to this machine. 20,000 one, 20,000 two, 20,000 three, and 20,000 four, also port 80. That's weird. On IPv6. I just port 80 open. Oh, just the default Apache thing. Yeah, that's not great. I mean, it's probably not terrible, but... Okay, so we can see that, and we can also look at the scoreboard, I believe, if we see the service list, it should be here. So it'll tell you all the ports, right? So now we know looking at this, the baby marvel is on port 20,000 and one. Backup's on 20,000 two, 20,000 three, 20,000 four. Where do these live? So what happens? So let's add that cat to team two, because I don't want to attack myself. 2000, 001. Oh, they're not up because they are not running that. Let's do team seven. How are you? So what happens when I do this to another team? Close it. Close it? Okay. He calls the service. Okay. We call the service, what do we see? So we make a TZP connection to that port, and then what happens? It connects to that system, and then runs the baby marvel service. Yeah, but how does it happen? The program, I'm done. I'm actually on basically the... What was it, sitting in? I mean, like this example, the program, Yeah, so one key thing, if we look with the... Let's see. I can only do this if I'm rude, and we don't have rude access on these machines right now. All right. So I can't listen to what program is listening, but... So what's actually listening is... Oh, I should have done this with a game master, so I could go in and through. That's fine. So there's a program called XITED. XITED is essentially made to... You can kind of think of it as it turns command line applications into networked applications. Because when you start looking at this baby marvel and say what... C... Say what? No, sample C. C1. C1. C1 is different. Backup. Backup. Right? You look at these, these are binaries, and they read from standard input and they write to standard output. But we're talking to them over sockets. We know that's not how you write a server in C. You wrote a server in C. You know that you have to set up sockets and say what port you want to listen to. So the idea is... XITED is where everything starts. So XITED, when it starts up, it reads all these config files. This tells it exactly what port to listen on, 20,000 in one, which is exactly the port that we want. You can only have 1,000 instances open at once. That's kind of an interesting thing we got later. It's going to run it as the user CTF underscore baby marvel. So for those of you who are having permission problems, that's probably because it was executing as a different user. BIND I think says what IP address you want it to listen on. And this server, so this is now the program. So basically XITED, every time somebody makes a successful TCP connection to port 20,000 one on any port for this system, it's going to execute slash opctf baby marvel RO slash wrapper.sh. And if we look at that, if we look at that, it's going to do... Can everybody see this? So if we look at opctf baby marvel RO wrapper.sh, it's going to first CD to opctcdf baby marvel read write. So that's kind of interesting. And then it does a check of if this system is... And it's checking if it needs to run it in QMU, but that's fine, but we can see that this is a true check. So yes, these strings are equal. So it's going to run from the directory RW, remember because I changed directory to RW, it's going to do dot dot slash RO baby marvel, which if we look... Yes, is why there is no baby marvel here. Right? So this is why this does not work. So this is why we have those instructions of how to change it and set it up. Because it can't execute anything. So this program does nothing. If we look at something different like backup, we'll see that backup has basically an identical wrapper and then has the file backup. So if we look at that, we can see that the backup program is an L32 bit executable, which means you should be able to figure out what's going on here. So that's basically everything that happens every time you get a connection. And this is fairly standard, I'd say, in terms of CTFs, like using XMND because it's much easier to run a program that doesn't put output from standard to standard out, especially when you get it to people to analyze, that's a lot easier for them to deal with. Cool. All right, so we want to patch. What do we want to patch? So has anybody found any vulnerabilities? Yes? Backup has vulnerabilities, I wrote that. I don't think that's a bonus. That's not pretty good. Let's see if I got this. No. Okay. So, let's look for our friend main. So we have a main function. It's going to change directory to the append directory. So this means it was in opctf, put it in backup, rw, and now it's going to change directory to append. And it has an infinite loop. So it's going to print out the menu, then read in. It's going to call this read line function with 40 into input. It's going to compare the input with one, if it's, oh, string compare returns true. So it'll start backup, otherwise retrieve backup, otherwise good bye. So where's the vulnerability? Retrieve backup. Can retrieve backup? All right, retrieve backup gets a, as a buffer of 200, calls get info. And then here's your backup data that was stored securely. S printf command 200 cat name underscore password dot secure dot back, and then call system. So what's the point of these two lines here? Is it really difficult to see the black background? Yes. I think I can change it. Let's see. And also everyone just got a little bit. Yeah. Quite, quite bright. Okay. So we are then going to do SN printf. So what is, okay. So somebody getting an overview of this service. What is it for? Restoring backups. Doesn't work. So when you make a backup, what does it do? It's files and then creates a backup file. Does what? It takes an input file. It takes an input and a file? Yeah. And then creates a backup with the name that you specified. And then creates a backup with the name. That's why we're trying to execute this. Just so that we can do this. And we can check out from the scoreboard, which we are on. What is it? 2002? Yeah. Okay. So we want to securely start a backup better than securely. New bar. Password. That I use for everything. Okay. Add a file. One byte. All right. Store files. Great. Okay. So now I can retrieve my backup. Where's my stuff? Two. Or is it a new line? Oh, that's fine. Nobody cares. Okay. Cool. I see what happened. Okay. Yes. Okay. Great. So now we can... So how would I exploit this? Does anybody have a... Oh, you don't want to give out your exploits. It's okay. So I'm going to retrieve a backup. What would I do? Yeah, you're just trying to come on with the semi-colon intention. So just with factics or what? You use semi-colon. Yeah. What? Yeah. Bracket. And fragrances. Which fragrances was it? Yeah. Slash bin. Shadows. Oh, that slash. You should be able to see that. Oh, nice. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Oh, nice. That's pretty cool. Oh, man. Now everyone's going to use this during the final. It won't be these services. I hope you realize that. Okay. Cool. All right. So I'm getting all the flags. Every single flag. All right. That's awesome. Okay. Cool. This is great. Now we can actually see that it was successful. Okay. So what is the goal of these two lines? What's this soap? So let's just... Do we want to get rid of this? Let's just comment this guy out. Although we won't be able to do this because... All right. Let's move it here so we can actually play with it. Okay. So why don't we just... Why don't we just comment out these? Yeah. So what's going to happen when I do... When I compile this? So what should I do before I replace the backup file? Back it up. Take it back out. Yes. I should back it up. I think you're first thing to copy to the file. Yes. It was a trick. Yeah. If you don't do that, you're going to be in trouble. Okay. We're supposed to preserve the username and height. Huh? Yes. And so we will need to copy. So I just made something called backup to CTF, backup, RO, backup. Why it's doing this, but... There we go. It's doing that because you're getting hit from XINED, right? So XINED is executing it so you can't replace the file while it's being used. So I just removed it, which means that everyone who's currently using it will get... They still have a copy denied out on disk. The other ones will still work. Okay. CTF, backup, RO, backup. So it's not by the same users, although I guess technically this would work. It still should work, right? Yeah. Because the idea is CTF, underscore, backup needs to execute it, right? And so with these permissions, but to be a good person because I guess it's possible... I don't know. Anyways, we'll just... We'll do it so it's exactly the same as the other ones. So 7, 5, 0, CTF, backup. C-H-O-N-C-T-F, C-T-F, backup. Off C-T-F, backup, RO, backup. Okay. So I've just read exactly what it was before and now I should be able to get it and now it's executing and it works. So what's gonna happen when I look at the scoreboard? 7 is down. I'm even more in last place, hopefully. Okay. So it hasn't tested it yet? We'll just sit here and look at each other. About 2,218 ticks, that's long ticks. Huh. And you all hide your services up? That's actually pretty good. I'm pretty impressed. It's not gonna... Okay, so what are the things that happen when it finally refreshes and it tests all the service? It should be down live. Yeah, it's not functioning. We removed critical components, right? We removed the part that displays your results. So now this is like, if you're running a website and as a security person, you realize, oh, there's a vulnerability in the login page and the developer just removed logging in from your website. Yeah, so technically, it's a lot more vulnerable, but you now do not have a website, right? You need a website. So this is, you know, the key part here. And this is... It gets very tricky because you don't know exactly what it's been testing, right? So this is why if you try to change some of the text that it's returning, that may cause your test case to fail because that's not the functionality of the site. If you try to filter somehow from a way that the service is not necessarily part of the service, that may be a problem because the service, maybe you can find a semi-colon. Nobody said you couldn't have semi-colons in your name. That kind of depends on the service checking script, right? So that's what I'm just trying to solve for a time. As good as this, the scoreboard was up. It takes a while to propagate. Don't worry, it's like... These numbers are like a rough lie. This is just kind of like where the game sort of is because what has to happen, like I said, is when a new tick happens, there's one component, the GameMask or the GameBot that figures out there's a new tick and schedules every single script that should be run and puts that in the database. There are some script bots that are pulling all of that information and running. So you think about these script bots have to test four times 21 services with multiple, I think it's somewhere between five to seven scripts against each of your services to test them. So... Yeah, there you go. See? It's what? Oh, in here. Yeah, technically this thing. It's like all cached and all types of fun stuff. Yeah, so we can see that now our service is down because we broke our service. The service does not function the way it does normally. And that's why I'm stressing, because at the beginning you need to actually understand the thing that you're trying to test for vulnerabilities, because if you end up removing functionality, then fundamentally you broke the service and so this is why you need a way to reset back to what you were, revert back to the original one. I spent a lot of time in CCS making some changes and looking at scoreboard and realizing the service is down and reverting it because it's better to be up and get points rather than be down. Cool. All right, so how do we fix this? So this was clearly bad. So what do we do? We check if the name is correct. Second what? Check if the name is correct. Yeah, but maybe that'll break it. What if we check to make sure that this final name exists first and then cap the file up? Yeah, we could do, like, some way to do it. It's like file-e or is it? Yeah. Oh, that's interesting. But then we maybe get into a problem with the fact that, so if we check to see if the file exists and then it passes the system, you could still create a file with those names that we talked about first and then get that file and it would pass you to it there and still give you the shell. I can check with Sonic Vols but now I'm trying to blacklist because maybe they could do it other ways maybe all they need is dollar signage parentheses or back takes. What's this code doing? What's the purpose of these two lines of code? Opening the file. Opening a file and doing what with it? Reading it out. And putting it in the sand outlet. Do we know how to do that in C? That wasn't a resounding yes. Yes. We do know how to do that. How do we do that? We need something like F open. Well, first we need our string though, right? So we need the file name that we want to do so we can maybe reuse this and change it here and say now command is essentially our file name. I'm not going to rename the variables because I don't want to deal with them that much. So now the command has the file name we want so now what do we do? Int is F open. R plus. R plus. Okay, good. And then Yeah, we need to read it but we need to read it into somewhere. This is how I code during CTS though sometimes you're going to get the pressure. Alright, so F read into what is it? File pointer. Alright, I'm looking at the man page of F read. F read takes so it takes the buffer we want, the size that they want. It's like the size of the individual fields. Is there a better way to do this? Whatever. Just give me 10,000 bytes. There should be nothing bigger than that from Fp No, no, this is a pointer. This is the pointer you want to read into. And then F right is going to be the same way but reverse so it should be F 10,000 and where do I want to write to? Standard output. It's not a file pointer. What are the other functions I'm thinking of? What uses standard Oh, just read and write. Okay, why don't I use that? Or somebody can tell me so what do I write so how do I get the file pointer from standard input? Maybe I should do this. This is what happens when you do demos live. We'll do something like that. For now it'll complain about us and then since we're good people we'll say F close Fp. Is it going to explode? Oh, that's going to explode. Expect structs by a pointer. That's much easier. It's close enough. It may not be an alternative string. This may be really tough. Who knows? We'll see. What was that? I didn't do what? Fp should be file pointer. I mean, technically. I thought I did that. Oh, because it's not a file pointer. I see. It's useful. That's kidding. Always going to be useful. So do we think this is actually going to work? Do we need to change to CTM? Let's see. Okay, that worked. Let's check the file permissions here. LS. L-A-C-T-F backup RO. Make sure that the permissions are good. Yes, the permissions are good. Okay, now if we try to securely retrieve our backup. What was it? Pipe. Side call. Side call. Well, that's good. Maybe we'll be up next. Who knows? So we could maybe check. We could run TCP dump. It was an ETH0 42002 Maybe with the dash A flag to look at all the stuff. So this is now going to show me all of the... It's probably not good. Oh, unless that's you guys trying to exploit me. Seg fault. Alright, so we can test this. We can try... We can try to... Actually... Okay, so we... Obviously we know everything on our system. So we backup. So we know everything stored in a pen. And so we can get our own thing. And what was it? It was username, password? Okay, so if I want to retrieve the backup. If that's the name. And, of course. That's the great password. Alright, so what did you run? So this is... What is the... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... Is it because the open isn't working? Oh, oh, yes. Okay, I think I know what the problem is. So we are... Yeah, exactly. Because the file system that we're using, the append directory is append only, which means you can create new files, but you can't delete the files that are already created. So we open it up for r plus, which is, I think we're done, right? We can't use that, and so we're getting a system... The problem is fp is going to be null, and so it's trying to use that and dereference that later, and that's with a sec fault. So if we're good programmers, we check if fp... Actually, we can do that real quick. If fp is equal to null... fp... Okay, cool. Oh, we didn't actually change that. Clicking gcc it, copy it. Okay, so it's like, go away, that's good. Because that meant that that file didn't exist, the foobar file. Now I think... Awesome. So you'll check later, and this should work. And then now this team should rise in points because now none of you can exploit that. So... Or I guess it will... The scoring is tricky to understand. I think we will rise relative to the other sheet, but if all of you are running exploits against everyone, they'll still be above the person who's not running exploits. It's a sheet. Cool. Alright, make sense? Cool, so do awesome stuff. Alright. Now let's get back to the web. Sorry to interrupt, but your activity complies with the wireless, so basically they activate all of the security stuff. I mean, the pie, or the nx, and all of the stuff. So for this back up activity, it's also a problem. And I know some of you are trying that out, but because other teams are compiling the politics and the security integral, it doesn't look like we could exploit it correctly. And so during that final security, is there any policy that that quality we should be at the same, it won't be the same stuff or not? Maybe. You never know. I mean, it depends on the service, and what if you want to seek it, and what do you do? It'll be better. Alright, cool. Where were we? Okay, web. Wait, but now it's recording this thing. Okay, just like I need to change this configuration around. Okay, cool. So, we've been talking about the web, and we've been talking that the web uses cookies in order to establish sessions with users, right? So this gives the web server and the web application some sort of memory so it can know who you are and that you're the user that it's seen in the past. So, what does authentication mean? In the context of security in general. You need to play a general note. Yeah, so it's kind of trying to prove to a system you are who you say you are, right? So when you travel and go to the airport and they're checking your ID card, they're authenticating that you are the person that it says on that card, right? So who is the user? So if we can break authentication, we can maybe impersonate other users. So we can log in as different users. We can log in as the administrator. What about authorization? What does authorization mean? Yes, so what can you access, right? So authorization is different than authentication. Why? Different users can have different access. It just makes sense. This is our normal day-to-day life, even something as simple as the homework submission server that you're playing with. You're all students and the TAs and I have elevated account privileges that we can see go through and grade things and see all your submissions, which obviously would be a huge problem if you could see that, right? So authorization, I think of it as what's the user allowed to do? What can they do on your site, right? So authentication is knowing who they are. Authorization is what are they allowed to do? Are they an admin user, a regular user, some kind of guest user? And so if we can break the authorization, that means we can do something that we're not supposed to do, right? But we're not necessarily impersonating somebody else. They're kind of intermixed when you talk about attacks because once I can impersonate you, now I have all of your access and I can do everything you can do. But maybe I can do that without even knowing your username password or breaking the authentication system. So we can attack authentication both the ways. Can you do the web now for a while? How do you authenticate to a website? At which stage? Does that have nobody to do this? You just assume everyone knows who you are. You go to whatever and it says log in. How do you log in? And username and password, right? It's trying to... So one easy way that we can break the authentication is by stealing the username and password. How can we do that? We can fish, so we can create a fake website that has the same username and password account and send it to people. What else can we do? Sniffing, right? We talk about sniffing. We can do our poisoning. We can sniff on an open wireless network. We can try and get a man in the middle and get people to route traffic through us. All of these ways we can then eavesdrop. And if we use an HTTP, which we know does not use any encryption, just sends everything in the clear, you will see the username and password that sent because you know that HTML forms are sent in the body URL, URL X URL encoding or whatever. You can also just guess, right? So you can try... Well, what would you try first? Password. Password. Password. You could try password one, password two, password three. You could try admin-admin. That's one of the most common ones. You may be able to bypass the authentication. Maybe it doesn't even... Maybe. So, especially on the web. So think about this. So when you go to... Has anyone ever sent you a link to a website? And then you were redirected to login first before viewing that link? Yeah. Yeah. How does it do that? Why does it do that? It's checking your cookies, seeing are you logged in or shouldn't it log you out? And then it says, should you be able to view what everything you're viewing? Whoa. And if not, then it's going to redirect you to the login page. And this is actually the fundamental difference between the web and, let's say, a desktop application or most applications, right? An application could walk you through, you go to this screen and then this screen and then this screen. And there's no possible way really for you to just put yourself on the third screen. But what's stopping you as an attacker for making an HTTP request to any URL? Nothing. Fundamentally, you can make a request to any single URL. There are some limitations, like if the URL is a random, it's 128 bits, like a random value that would be very difficult for you to guess about knowing what it is. But once you've visited it once and then you've sent out a link to somebody else, now they can fetch that content if there's no control there. So this is one of the key differences in the web is you can access any, anybody can access any page at any time, so you better make sure that you've locked it down such that only logged in users or only authorized users can visit that site. Cool. Okay, so we talked about this. I'm not going to go into detail about use-dropping credentials. A key thing, so we talked about somebody mentioned cookies. I think that's the new thing here. So yes, so if you steal somebody's cookies, then you can likely use that and send it to the website on your own and the website will think because it uses cookies only in the session, but these are all from the same session. So important if you're developing web applications if there's an attribute on a cookie that a server can set called Secure, which just means only send these cookies through HTTPS, never through HTTP. And this is important because one of the ways, so if I wanted to fish your, let's say, Google cookie and I wanted to see your Google cookie and, well, Google's bad example because this won't work, but maybe it's better if you get an example that won't work. So Google is pretty good about using HTTPS, but when you go to your browser, do you always type in HTTPS colon slash slash Google dot com? No. Normally, if you're going to type a website and you type in HTTP colon slash dot Google dot com and then Google will tell you to redirect to HTTPS Google dot com. But if somebody can man in the middle of that first connection, they can then actually, well, as we saw it, by man in the middle they can control all that page. So they can give you the same Google page, but basically do what's called SSL stripping. So it'll strip out all the SSL. But essentially, somebody could, you think that is a downgrade attack. It's like, normally your this cookie sent through HTTPS, but tricking it to go under HTTP, then maybe you could get the cookie. So, anyways, it's a good flag if you look it up. Brute forcing. So some websites have really four password mechanisms where they say, let's have a, they have, let's say, a pin of four digits to use. And so those can be easily brute forced. And actually, yeah, the thing that's happening more and more is now you have multiple ways to authenticate the system. So not only do you have the website, the username and password, you also have your mobile application, which may have a different way to authenticate with, let's say, a four digit pin. And usually that is a web endpoint that the mobile device talks to, or the mobile application talks to. So you can, if you're trying to brute force it, you wouldn't use the main one, you'd use the mobile endpoint and try to brute force people's passwords. So if any kind of, or session identifier for the cookie value to be some random value, why does it need to be a random, difficult to guess value? Yeah, so it can be either brute forced or spoofed by the client, right? Remember, the client can always send whatever request they want to the server. And so if your session IDs are sequential, that's going to be a problem. If the user specifies a password, that's going to be a, as usually always, a problem. Some other issues with authentication. Yeah, forceful browsing is the main one. So this is the one I mentioned where oftentimes if you need to log in before seeing an element, if you try actually requesting those resources, which is, so this is the idea of forceful browsing means you can browse through any page at any time. So the idea here is by doing that you can bypass authentication many times. If the, anybody ever forget their password on the website? No. No? I don't believe that at all. Unless your password is password on every website. Then you have more problems because they wouldn't all allow that. It's going to just be an A. So yeah, so what happens when you create a password? I forgot the password. You click the forgot the password button, which says what? They say, oh great, we believe you. Welcome to the site. It happened. What do they do? Yeah, they send you an email and usually, if you look closely, the link in that email will contain some random token so that they know that that link that they generated is unique for you that links to your request. You click that link and then they say okay, do they actually know that you own that account on the website? No. What do they know that you own? Email. I mean, you're going to see email from that user. So so this is why this is kind of a side note but this is why your email is one of the most critical things in your online security. Because once somebody owns your email, they literally own every single website you own an account on. They just go, they say, forget my password and the email comes in and they click the link and they just reset your password to whatever they want. So depending on how this token is generated because again, you can put in any email address or whatever account made for forgot my password. So this means that you can say forget some of these password of a user and if you can guess what that token value is going to be you can then actually reset their password. Session fixation which we're not going to go to some web applications are really poorly designed in that they will take the session value in from the user's input. So they'll you'll actually be able to force somebody to have a known session or known cookie identifier. Which now means if I send you this link which sets a session foobar which I know what it is now rather than some random value. Once you're logged in I can then use that session identifier to review. Alright. Yeah. So authorization attacks. So the famous dot dot attack is back again in a new context here. So in the web. So oftentimes if you have some kind of web functionality that's using a local path if you do something with using relative path and you can get different files. For instance oftentimes you'll see some functionality like a PHP script that shows a file that's in some directory and so if you by doing the dot dots that the web application users can access in this case the EDC password file. So now you know what users are on the system. Maybe this helps the system. You can start pulling out some fake files potentially a database all kinds of fun stuff. Actually this is nice to usually you do something like this to get the source code to the PHP and then you find more vulnerabilities and you go from there. Yeah. And so get rid of all dot dots right in your input and so and usually there'll be some kind of web application firewall that looks for this and so obviously you can encode these you can do all kinds of weird stuff. Forcible browsing again okay parameter yes okay so this is actually a huge one so this is the one I think I mentioned last time I was here where basically if and this happens very frequently it ends up in my Facebook right I actually don't remember the URL off the top of my head but it's something like facebook.com slash user slash progile.php and then there's a user name parameter user ID 10,000 one or whatever whatever your Facebook ID is but now that I think about it those are pretty large numbers they're probably hitting that 4 billion number limit anyways so the idea is the web application itself may control if you think about may control let's say it's a social network where you can only see the profiles of your friends right so the web application is designed well in that it never shows you a profile of somebody who's not your friend because you can't click through to it right but if these are just sequential IDs that are not actually very fine that your friends before you see the profile you can just enumerate and change this ID I think I did okay yes go back and look at other stuff this happens a lot a lot more frequently than you would think parameter creation so this is an interesting so we talked about PHP's register globals functionality so there's a lot of applications that still use this functionality or actually mimic this functionality so what register global does this was a while back and we looked at what it would do is let's say you had a link like admin equals one or you had a user ID what this request would do is the PHP environment would create a global variable of the PHP execution context of user ID or a ending with the value of one two two nine or a and also a variable of name type and a variable of name admin so the PHP environment would create these global variables for executing this script which doesn't seem like such a big problem the problem is let's say we have this page which is a feedback page and here we check if there's a name and there's a comment then call file open the user feedback write see this is yeah write to the file the name and the comment close the file and then echo feedback submitted okay yes so this is our example that we saw of how we did register globals right so here we know that this form when it gets submitted it's going to create a global variable of name name and a global variable of name comment with the values that are passed seems like fine functionality that you would want the problem is what if you have code which is stuff that we've already looked for maybe if underscore get password is some you'll never guess this string right let's just assume you'll never guess this string then you set the admin variable to be true right and change reasonable then you say if admin show the secret admin stuff right it's what admin functionality does otherwise go away now the problem is if php registered globals is on what happens if the so let's say a normal request so you request some password parameter of something that's not the password so you're not the administrator then what's this check going to do yeah it's going to say if doge that admin doge that admin is not set so that's going to fail and so you're not going to see the admin stuff but because of registered globals I can create I can make a request with the admin variable already set to true which will fail this authentication check but it will still show me the admin stuff and all it takes is something like this and the admin will then be was already set so you can see it's something really interesting so this is a essentially a configuration setting that makes code that looks like it shouldn't be vulnerable into something that is vulnerable and it used to be this way by default now is no longer default but I've seen applications that will emulate this behavior by iterating through all the get and post and created with the we saw the variable variables it will create in the global scope all of the variables okay some other interesting things you can do so this is more kind of real world kind of testing type things depending on the security and the company or organization that are targeting often times they'll run FTP servers and web servers on the same host so why would they do this and save cost cutting but what else I mean how do you I don't know they have like $5 a month server maybe I think even now there's like $2 or $3 a month server how do you update like the HTML content of normal like cheap servers FTP FTP yeah like this is how you upload content to the server in most cases I think more advanced is SSH or SFTP and so often it runs in the same host so now you have a case where if you can so a lot of FTP servers actually have guest access now if you can upload some content onto the server and let's say if you can upload it to the CGI bin directory it can execute there if you may be able to upload a PHP file and then if it's in the path of the web application you can trick Apache to execute it this actually happens a lot is yeah so if you can upload files specifically like images so not specifically images but I've seen this before we have a valid image file like a PNG file and remember what does PHP do with anything that's not inside PHP tags try to read the yeah just outputs it it doesn't do anything to it so you can have essentially a PNG file and right after that PHP code like a PHP essentially reverse shell and I've seen that before in some actual malicious exploits and payloads they throw at servers so if the now to get this to work is tricky and dependent on the web server and how it actually works sometimes the file name has to end in .php sometimes it doesn't but fundamentally when you as an attacker can upload files to a server that gives you a lot of capabilities so as an developer you need to be very aware of what that does and how it does it okay awesome so this is now what we're going to get into is this is I think one of the fundamental problems in actually most vulnerabilities come down to this concept so in an application what's the difference between code and data? what was that? code is executable code is executable? data data is not in an application is that? metadata subvert that? metadata data by data so what about the CPU? does the CPU does it actually care? it cares in terms of permissions because we've built up all these security mechanisms but if you go back to the Von Neumann model of the computer it's just you have a big thing of memory you have code that you fetch execute and data that you store in there but fundamentally it's all just bits to the CPU there's not a different memory section for code a different memory section for data and this allows you to do really cool things like making self-modifying code or making JIT compilers that create code on the fly and this even goes back into when we I know it's been a long time when we talked about Captain Crunch and the phone freakers they what they did is the data channel the voice channel over the phone network was the same communication channel that transmitted these signals to tell the switch is what to do with the call so by emulating and faking those code signals you got some system to interpret your data as code and really this is so many places here you think about on the stack right save EITs on the stack fundamentally make up code because that tells you where code goes so on the stack you have a mixing of coded data and this means that attackers data can be misinterpreted as code and on the web this is insanely prevalent so basically anywhere that frames are concatenated together in order to create some kind of to produce as an output to a parser there are possible problems and this means when generating HTTP responses when generating HTML responses SQL responses command line SMTP this literally goes on almost every web vulnerability comes down to this idea of mixing code and data in the same channel so when we come back we're going to get into C1's action